App Review The Shadowra's Battlefield Antivirus 2021

[Andy Ful]

The problem of corrupted files is more complex. These files can be a part of the larger attack (payloads) but simply require the initial loader or external resources (*.tmp, *.dll, *.dat, etc.).
They cannot be executed alone, so they cannot be also detected dynamically in such tests. They can be detected when the attack is monitored starting from the initial malware and ending with the final payload. After detecting the full attack, the signatures of such payloads can be blacklisted as for standard malicious files.

Post edited.

 

[Andy Ful]

I was thinking about how this test can be improved. My final thought is that it should be repeated several times. This can help to eliminate some random factors like this one mentioned by me in the previous post.

The test can be divided into two parts because the phishing part is independent of the rest.

It could also help if @Shadowra could show more Indicators of Compromise (IoCs) because it is often hard to see if the leftovers are real IoCs or not.

The method of calculating the scorings on the basis of on-demand scanners seems to show which AV is cleaner (leaves a smaller number of leftovers) and this can be related to the architecture of detections. Some AVs rely on the fast signatures in the cloud and these AVs will detect most malware without executing them (small number of leftovers). Others can rely more on post-execution detection (more leftovers).

 

[RansomwareRemediation]

F-Secure protection impressive, Kaspersky protection terrible (in default settings), I am struck by the poor detection in Kapersky. Bitdefender fine and Norton even though there were roughly 180 left over, the team stayed clean. Thanks for the test : c

 

[harlan4096]

Read previous comments about the test and the samples used (many corrupted files, signed and/or old "legit" PUP), those results can lead to false conclusions.

It is not clear in that list of punctuation which systems remained protected.

I would also like to see there Kaspersky Removal Tool running as Second Opinion Scanner.

 

[mohamed200]

@Shadowra thank you a lot for these test
I have a request if may, can you test appcheck anti-ransomware free to see how he react vs ransomware test

 

[Shadowra]

@Shadowra thank you a lot for these test
I have a request if may, can you test appcheck anti-ransomware free to see how he react vs ransomware test

It is planned for my return from vacation, around January 5th

 

[Bushman]

It is planned for my return from vacation, around January 5th

Hello,
Could you also test zone Alarm next generation? thanks a lot and good vacation

 

[Shadowra]

Hello,
Could you also test zone Alarm next generation? thanks a lot and good vacation

Of course !!

 

[ForgottenSeer 92963]

Antivirus tested : Avast, Avira, Microsoft Defender, WiseVector, Bitdefender, Kaspersky, ESET, F-Secure, Trend Micro, Norton.

Shooting time: 10 hours
Editing time : 1 hour
Upload : 6 minutes

TWO FLAWS IN THIS TEST:

1. DID YOU CHECK THE SAMPLES WERE REALLY MALWARE AND EXECUTED CORRECTLY? THIS COULD EXPLAIN THE CORRUPTED FILES.
   
   
2. TESTED SEQUENTIALLY (SHOOTING TIME 10 HOURS), NOT IN PARALLEL MIGHT INFLUENCE RESULTS WITH AV's SHARING DETECTIONS (e.g. VT).

QUESTION: ARE THE AV's WITH THE BEST DETECTIONS TESTED LAST? IF SO, YOU HAVE PROVEN THAT SHARING SAMPLES WORKS.

I really applaud your time and effort you put into these tests. Also even when you buy additional 10 pc's and test AV's at the same time and run the malware samples in a sandbox to check they are not corrupted and really infect the system, you must make sure your ISP and DNS don't have any kind of malware detection or url monitoring in their 'extended/additional' service offering because this could affect bad URL detection also. I feel a bit sorry for you, all that time and effort you put in this test. Enjoy your holiday.

 

[Shadowra]

TWO FLAWS IN THIS TEST:

1. DID YOU CHECK THE SAMPLES WERE REALLY MALWARE AND EXECUTED CORRECTLY? THIS COULD EXPLAIN THE CORRUPTED FILES.
   
   
2. TESTED SEQUENTIALLY (SHOOTING TIME 10 HOURS), NOT IN PARALLEL MIGHT INFLUENCE RESULTS WITH AV's SHARING DETECTIONS (e.g. VT).

QUESTION: ARE THE AV's WITH THE BEST DETECTIONS TESTED LAST? IF SO, YOU HAVE PROVEN THAT SHARING SAMPLES WORKS.

1. I don't always check, basically I trust my supplier, especially since this battle was long....

2. I think it has nothing to do, during the comparison, the antiviruses are tested fairly, default, and PUPs activated.
I will not prioritize any software

3. No. The last ones were Bitdefender and Norton which was tested.

 

[ForgottenSeer 92963]

1. I don't always check, basically I trust my supplier, especially since this battle was long....

2. I think it has nothing to do, during the comparison, the antiviruses are tested fairly, default, and PUPs activated.
I will not prioritize any software

3. No. The last ones were Bitdefender and Norton which was tested.

1. That is a problem

2. Yes it has, when they are not tested at the same time, the playing field is not equal

3. It makes a difference. which was the testing sequence and what were the results in your scoring method

 

[Shadowra]

1. That is a problem

2. Yes it has, when they are not tested at the same time, the playing field is not equal

3. It makes a difference. which was the testing sequence and what were the results in your scoring method

Not at all.
You should know that during the tests, I do not send ANYTHING to the editors!
It's only after the video is published that I send them, so as not to interfere.
By the way, I don't use VirusTotal to check if a file is malicious but a site that does not distribute

EDIT :

3.
I would have liked to send you the note file, but I'm not at home (even if me and my mother have the same speedtest ^^ )

I note:

- User interface (user-friendly? messy? complicated?)
- Phishing reactivity
- Reactivity malicious link
- Analysis (time, score etc)
- Cleaning (time, how many it removes)
- Launch reaction (what Avira, Trend, F-Secure and Microsoft Defender did)

I hope I answered your question. If you want to talk about specific points, don't hesitate.

 

[ForgottenSeer 92963]

@Shadowra what was the sequence in which you tested the AV's

AV's share their new detections. Usually when an A-lister detects something on VirusTotal, within 12 hours all A-listers will detect that samplev(by hash and URL). Besides thar AV's using an other Engine (e.g Bitdefender or Avast) will get the updates through inter-company channels.

 

[Shadowra]

@Shadowra what was the sequence in which you tested the AV's

Here is the order

• Avast
• Avira
• Microsoft Defender
• Eset
• F-Secure
• Kaspersky
• WiseVector
• Trend Micro
• Bitdefender
• Norton

Then the test protocol is identical

AV's share their new detections. Usually when an A-lister detects something on VirusTotal, within 12 hours all A-listers will detect that samplev(by hash and URL). Besides thar AV's using an other Engine (e.g Bitdefender or Avast) will get the updates through inter-company channels.

=> By the way, I don't use VirusTotal to check if a file is malicious but a site that does not distribute

 

[ForgottenSeer 92963]

=> By the way, I don't use VirusTotal to check if a file is malicious but a site that does not distribute

I am not posting that you are doing it, but the AV's share new detections (inter company and through VT), usually with some delay (on average 12 hours)

 

[NewbyUser]

I am not posting that you are doing it, but the AV's share new detections (inter company and through VT), usually with some delay (on average 12 hours)

AV's don't share detections through VT, VT is a private entity run by Google. The AV companies also do not typically share with each other. All major AVs have excellent collecting, coding and distribution of signatures most of this process is automated and takes only a few hours. Each AV is a privately held/run company with no incentive to share detections or coding mechanisms, that would put themselves out of business.

Some companies don't produce an engine of their own and license from another company. This may be what you are confusing with "sharing" detections.

 

[Kongo]

Too much criticism and not enough appreciation for all the effort he has made creating the video. It's not even possible for most testers to test the AVs simultaniously if they don't have a NASA PC. Only proper option would be creating an individual VM for each AV and I am pretty sure that with such a big list of AVs pretty much every computers hardware would struggle out there. Keep in mind that he is a hobby-tester after all. @Kees1958

 

[NewbyUser]

Too much criticism and not enough appriciation for all the effort he has made creating the video. It's not even possible for most testers to test the AVs simultaniously if they don't have a NASA PC. Only proper option would be creating an individual VM for each AV and I am pretty sure that with such a big list of AVs pretty much every computers hardware would struggle out there. Keep in mind that he is a hobby-tester after all. @Kees1958

Excellent Point!! Didn't mean to add to the distractions

 

[Shadowra]

I really applaud your time and effort you put into these tests. Also even when you buy additional 10 pc's and test AV's at the same time and run the malware samples in a sandbox to check they are not corrupted and really infect the system, you must make sure your ISP and DNS don't have any kind of malware detection or url monitoring in their 'extended/additional' service offering because this could affect bad URL detection also. I feel a bit sorry for you, all that time and effort you put in this test. Enjoy your holiday.

Why be sorry?
A forum is made to debate, there was no amiosite towards me
You didn't disrespect me or anything, you had questions, I answered

To answer you with the DNS of my operator, no filtering Phishing or malware is proposed.
They just offer an Antivirus (McAfee).
I don't use the DNS of the fai, but NextDNS.
And the web filtering of NordVPN is disabled.

Have a great holiday.

 

[ForgottenSeer 92963]

Too much criticism and not enough appreciation for all the effort he has made creating the video

I posted this appreciation: "I really applaud your time and effort you put into these tests" in post #29 not enough? then I will say it again (and more explicitly)

@Shadowra "I really appreciate (and applaud) the time and effort you put into these tests".